um...doh typo...

________________________________________
From: Rob Crittenden [rcrit...@redhat.com]
Sent: Thursday, 26 May 2011 12:46 p.m.
To: Steven Jones
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 
- httpd logs

Steven Jones wrote:
> Strange dns things?
>
> calling host from the comamnd line works but "something" cant resolve the ipa 
> server....

This is not a DNS problem, you did not give the FQDN to curl. There are
Apache mod_rewrite rules that attempt to redirect HTTP requests to a
point where the name will match the Kerberos service principal for the
server, hence the 301 you got in return.

Please just use the FQDN and all will be well.

rob

>
> regards
>
>
>
>
> ________________________________________
> From: Rob Crittenden [rcrit...@redhat.com]
> Sent: Thursday, 26 May 2011 8:32 a.m.
> To: Steven Jones
> Cc: freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 
> 6.1 - httpd logs
>
> Steven Jones wrote:
>> Outcome?, I couldnt see where the 401 or 500 "appeared".....
>>
>> the screen output of curl was as attached.
>
> You didn't use the FQDN of the ipa server so it didn't do the
> authentication.
>
> Please run this again using the FQDN.
>
> rob
>
>>
>> regards
>>
>>
>> ________________________________________
>> From: Rob Crittenden [rcrit...@redhat.com]
>> Sent: Thursday, 26 May 2011 1:21 a.m.
>> To: Steven Jones
>> Cc: freeipa-users@redhat.com
>> Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 
>> 6.1 - httpd logs
>>
>> Steven Jones wrote:
>>> FYI....
>>>
>>> Think I did it right!
>>>
>>> :]
>>
>> What was the outcome? Did you get a 401 or 500? I can't figure it out
>> based on the logs but I do see quite a few successful authentications.
>>
>> Can you isolate the log data for this one curl request?
>>
>> I'd run this on the 6.1 client that you're having problems with.
>>
>> thanks
>>
>> rob
>>
>>>
>>> regards
>>> ________________________________________
>>> From: Rob Crittenden [rcrit...@redhat.com]
>>> Sent: Wednesday, 25 May 2011 3:33 p.m.
>>> To: Steven Jones
>>> Cc: freeipa-users@redhat.com
>>> Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 
>>> 6.1 - httpd logs
>>>
>>> Steven Jones wrote:
>>>> FYI
>>>
>>> Ok, this is very strange, it isn't really trying very hard to do the
>>> kerberos authentication.
>>>
>>> It should be requesting the HTTP service principal and then doing the
>>> Negotiate authentication but for some reason it is giving up.
>>>
>>> Here is something to try (obviously replacing ipa.example.com with your
>>> ipa server):
>>>
>>> % kdestroy
>>> % scp ipa.example.com:/etc/krb5.conf test-krb5.conf
>>> % export KRB5_CONFIG=`pwd`/test-krb5.conf
>>> % kinit admin
>>> % klist -f (send us this output)
>>> % curl -kv --negotiate -u : https://ipa.example.com/ipa/xml
>>> % klist -f (send us this too)
>>> % unset KRB5_CONFIG
>>>
>>> You should get a 500 error and not a 401.
>>>
>>> Some logs to capture the tail of:
>>>
>>> Apache error and access logs
>>> /var/log/krb5kdc.log
>>>
>>> rob
>>>
>>>> ________________________________________
>>>> From: Rob Crittenden [rcrit...@redhat.com]
>>>> Sent: Wednesday, 25 May 2011 9:41 a.m.
>>>> To: Steven Jones
>>>> Cc: freeipa-users@redhat.com
>>>> Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 
>>>> 6.1 - httpd logs
>>>>
>>>> Steven Jones wrote:
>>>>> Logs.....
>>>>
>>>> Sorry, had you set the level in the wrong file. Can you set LogLevel
>>>> debug in /etc/httpd/conf.d/nss.conf, restart Apache and try again?
>>>>
>>>> rob
>>>>
>>>>> ________________________________________
>>>>> From: Rob Crittenden [rcrit...@redhat.com]
>>>>> Sent: Wednesday, 25 May 2011 8:51 a.m.
>>>>> To: Steven Jones
>>>>> Cc: freeipa-users@redhat.com
>>>>> Subject: Re: [Freeipa-users] Server - client mismatch has no progressed 
>>>>> to 6.1 - httpd logs
>>>>>
>>>>> Steven Jones wrote:
>>>>>> Hi,
>>>>>>
>>>>>> So I cant get clients to connect tot he ipa server, bei it 5.6 or 6.1
>>>>>>
>>>>>> Is there a solution to this?
>>>>>
>>>>> Can you set LogLevel debug in /etc/httpd/conf/httpd.conf, restart Apache
>>>>> and try the join again?
>>>>>
>>>>> This should give more feedback why mod_auth_kerb/kerberos is rejecting
>>>>> the credentials.
>>>>>
>>>>> rob
>>>>>
>>>>>>
>>>>>>
>>>>>> regards
>>>>>> ________________________________________
>>>>>> From: freeipa-users-boun...@redhat.com 
>>>>>> [freeipa-users-boun...@redhat.com] on behalf of Steven Jones 
>>>>>> [steven.jo...@vuw.ac.nz]
>>>>>> Sent: Tuesday, 24 May 2011 4:24 p.m.
>>>>>> To: Rob Crittenden
>>>>>> Cc: freeipa-users@redhat.com
>>>>>> Subject: Re: [Freeipa-users] Server - client mismatch has no progressed 
>>>>>> to 6.1 - httpd logs
>>>>>>
>>>>>> I must be going blind in my old age.....anyway here they are.
>>>>>>
>>>>>> regards
>>>>>> ________________________________________
>>>>>> From: freeipa-users-boun...@redhat.com 
>>>>>> [freeipa-users-boun...@redhat.com] on behalf of Steven Jones 
>>>>>> [steven.jo...@vuw.ac.nz]
>>>>>> Sent: Tuesday, 24 May 2011 2:58 p.m.
>>>>>> To: Rob Crittenden
>>>>>> Cc: freeipa-users@redhat.com
>>>>>> Subject: Re: [Freeipa-users] Server - client mismatch has no progressed 
>>>>>> to 6.1
>>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> 1) Screen data of the install from using the -d option.  (attach d.out)
>>>>>>
>>>>>> 2) ipa-install log
>>>>>>
>>>>>> 3) there are no httpd logs in /var/log/httpd/ it is an empty directory.
>>>>>>
>>>>>> 4) "Did you also run kinit before manually
>>>>>> running ipa-join in your testing?"  Yes....
>>>>>>
>>>>>> 5) For DNS I added,
>>>>>>
>>>>>>        allow query {any;};
>>>>>>
>>>>>> into /etc/named.conf clients were then not denied DNS.
>>>>>>
>>>>>> regards
>>>>>>
>>>>>>
>>>>>>
>>>>>> ________________________________________
>>>>>> From: Rob Crittenden [rcrit...@redhat.com]
>>>>>> Sent: Tuesday, 24 May 2011 2:24 p.m.
>>>>>> To: Steven Jones
>>>>>> Cc: freeipa-users@redhat.com
>>>>>> Subject: Re: [Freeipa-users] Server - client mismatch has no progressed 
>>>>>> to 6.1
>>>>>>
>>>>>> Steven Jones wrote:
>>>>>>> ran the ipa-join manually and krb5.conf was not configured, scp'd that 
>>>>>>> over from the ipa-server and re-ran ipa-join, still getting the same 
>>>>>>> 401 failure...
>>>>>>
>>>>>> This is a different mismatch than you were seeing with 5.6 (and a
>>>>>> completely different error message).
>>>>>>
>>>>>> A few things to note:
>>>>>>
>>>>>> - In general, when you reference any IPA server you should always use
>>>>>> the fully-qualified name. The SSL error you had was because the name did
>>>>>> not match the certificate.
>>>>>> - The 3xx/4xx error responses seen from ipa-join are HTTP error codes so
>>>>>> you can always check the Apache error/access logs for diagnostic
>>>>>> information.
>>>>>> - The integrated DNS stores information in LDAP, not flat files, so
>>>>>> having no data in /var/named is not surprising.
>>>>>>
>>>>>> ipa-join needs authentication in the form of a TGT or a one-time
>>>>>> password. It definitely did one in the log you provided and you still
>>>>>> got a 401, which is strange. Did you also run kinit before manually
>>>>>> running ipa-join in your testing?
>>>>>>
>>>>>> Running ipa-join or ipa-client-install with the -d option will provide a
>>>>>> lot more debugging information.
>>>>>>
>>>>>> I think the first place to check is the Apache error log to see why the
>>>>>> join call failed.
>>>>>>
>>>>>> rob
>>>>>>
>>>>>> _______________________________________________
>>>>>> Freeipa-users mailing list
>>>>>> Freeipa-users@redhat.com
>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>>
>>>>
>>>
>>
>


_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to